[
https://issues.apache.org/jira/browse/KNOX-3001?focusedWorklogId=900756&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-900756
]
ASF GitHub Bot logged work on KNOX-3001:
----------------------------------------
Author: ASF GitHub Bot
Created on: 19/Jan/24 18:20
Start Date: 19/Jan/24 18:20
Worklog Time Spent: 10m
Work Description: pzampino commented on code in PR #834:
URL: https://github.com/apache/knox/pull/834#discussion_r1459490179
##########
gateway-topology-simple/src/main/java/org/apache/knox/gateway/topology/simple/SimpleDescriptorHandler.java:
##########
@@ -635,6 +635,15 @@ private static Map<String, File> generateTopology(final
SimpleDescriptor desc,
return result;
}
+ /*
+ * First, undoes any previous manual XML escape.
+ * Second applies XML-escape on the result of the first step.
+ */
+ private static String getXmlEscapedValue(String value) {
+ final String unescapedValue = StringEscapeUtils.unescapeXml(value);
Review Comment:
Perhaps, even just a check for '&' since I don't think that's expected in
unescaped forms of this content?
Issue Time Tracking
-------------------
Worklog Id: (was: 900756)
Time Spent: 1h 10m (was: 1h)
> Avoid double XML escaping in SimpleDescriptorHandler
> ----------------------------------------------------
>
> Key: KNOX-3001
> URL: https://issues.apache.org/jira/browse/KNOX-3001
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Affects Versions: 2.1.0
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 1h 10m
> Remaining Estimate: 0h
>
> KNOX-2804 added a beneficial improvement in Knox's logic when dealing with
> JSON files and turned them into XML topologies: before the generated topology
> persisted, the possible values are XML-escaped to avoid errors in SAXParser.
> However, this might cause backward-compatible issues in deployments, where
> the data in the given shared provider config or descriptor is already given
> in XML-friendy way.
> For instance, using the following shared provider config will result in a bad
> XML topology:
> {noformat}
> {
> "providers" : [ {
> "role" : "webappsec",
> "name" : "WebAppSec",
> "enabled" : true,
> "params" : {
> "xframe.options.enabled" : "true"
> }
> }, {
> "role" : "authentication",
> "name" : "ShiroProvider",
> "enabled" : true,
> "params" : {
> "main.ldapContextFactory" :
> "org.apache.knox.gateway.shirorealm.KnoxLdapContextFactory",
> "main.ldapRealm" : "org.apache.knox.gateway.shirorealm.KnoxLdapRealm",
> "main.ldapRealm.authenticationCachingEnabled" : "false",
> "main.ldapRealm.contextFactory" : "$ldapContextFactory",
> "main.ldapRealm.contextFactory.authenticationMechanism" : "simple",
> "main.ldapRealm.contextFactory.url" : "ldap://localhost:33389";,
> "main.ldapRealm.userDnTemplate" :
> "uid=0ou=people,dc=hadoop,dc=apache,dc=org",
> "main.ldapRealm.userSearchFilter" :
> "(&(&(objectclass=person)(sAMAccountName={0}))(|(memberOf=CN=SecXX-users,OU=ManagedGroups,OU=Groups,OU=XX,OU=xx,DC=xx,DC=int)(memberOf=CN=SecXX-rls-serviceuser,OU=ManagedGroups,OU=Groups,OU=XX,OU=xx,DC=xx,DC=int)))",
> "redirectToUrl" : "/${GATEWAY_PATH}/knoxsso/knoxauth/login.html",
> "restrictedCookies" : "rememberme,WWW-Authenticate",
> "sessionTimeout" : "30",
> "urls./**" : "authcBasic"
> }
> }, {
> "role" : "identity-assertion",
> "name" : "Default",
> "enabled" : true,
> "params" : { }
> } ],
> "readOnly" : true
> } {noformat}
> The generated XML:
> {noformat}
> <?xml version="1.0" encoding="utf-8"?>
> <!--==============================================-->
> <!-- DO NOT EDIT. This is an auto-generated file. -->
> <!--==============================================-->
> <topology>
> <generated>true</generated>
> <gateway>
> <provider>
> <role>webappsec</role>
> <name>WebAppSec</name>
> <enabled>true</enabled>
> <param>
> <name>xframe.options.enabled</name>
> <value>true</value>
> </param>
> </provider>
> <provider>
> <role>authentication</role>
> <name>ShiroProvider</name>
> <enabled>true</enabled>
> <param>
> <name>main.ldapContextFactory</name>
>
> <value>org.apache.knox.gateway.shirorealm.KnoxLdapContextFactory</value>
> </param>
> <param>
> <name>main.ldapRealm</name>
>
> <value>org.apache.knox.gateway.shirorealm.KnoxLdapRealm</value>
> </param>
> <param>
> <name>main.ldapRealm.authenticationCachingEnabled</name>
> <value>false</value>
> </param>
> <param>
> <name>main.ldapRealm.contextFactory</name>
> <value>$ldapContextFactory</value>
> </param>
> <param>
>
> <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
> <value>simple</value>
> </param>
> <param>
> <name>main.ldapRealm.contextFactory.url</name>
> <value>ldap://localhost:33389</value>
> </param>
> <param>
> <name>main.ldapRealm.userDnTemplate</name>
> <value>uid=0ou=people,dc=hadoop,dc=apache,dc=org</value>
> </param>
> <param>
> <name>main.ldapRealm.userSearchFilter</name>
>
> <value>(&amp;(&amp;(objectclass=person)(sAMAccountName={0}))(|(memberOf=CN=SecXX-users,OU=ManagedGroups,OU=Groups,OU=XX,OU=xx,DC=xx,DC=int)(memberOf=CN=SecXX-rls-serviceuser,OU=ManagedGroups,OU=Groups,OU=XX,OU=xx,DC=xx,DC=int)))</value>
> </param>
> <param>
> <name>redirectToUrl</name>
> <value>/${GATEWAY_PATH}/knoxsso/knoxauth/login.html</value>
> </param>
> <param>
> <name>restrictedCookies</name>
> <value>rememberme,WWW-Authenticate</value>
> </param>
> <param>
> <name>sessionTimeout</name>
> <value>30</value>
> </param>
> <param>
> <name>urls./**</name>
> <value>authcBasic</value>
> </param>
> </provider>
> <provider>
> <role>identity-assertion</role>
> <name>Default</name>
> <enabled>true</enabled>
> </provider>
> </gateway> <service>
> <role>KNOXSSO</role>
> <param>
> <name>knoxsso.token.ttl</name>
> <value>86400000</value>
> </param>
> <param>
> <name>knoxsso.token.sigalg</name>
> <value></value>
> </param>
> <param>
> <name>knoxsso.redirect.whitelist.regex</name>
>
> <value>^https?:\/\/(.*smolnar\.root\.xyz\.com)(?::[0-9]+)?(?:\/.*)?$</value>
> </param>
> </service>
> <application>
> <name>knoxauth</name>
> </application>
> </topology> {noformat}
> As you can see, the value of {{main.ldapRealm.userSearchFilter}} is
> double-escaped that makes the topology invalid.
> Moreover, the previously added XML escape function is meant for XML 1.1
> documents whereas this code generates XML 1.0, so that this should be changed
> too.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
